Run the txzonemgr Script

This script steps you through the tasks to properly configure, install, initialize, and
boot labeled zones. In the script, you name each zone, associate the name
with a label, install the packages to create a virtual OS, and
then boot the zone to start services in that zone. The script includes
copy zone and clone zone tasks. You can also halt a zone, change
the state of a zone, and add zone-specific network interfaces.

This script presents a dynamically-determined menu that displays only valid choices for the
current circumstances. For instance, if the status of a zone is configured, the
Install zone menu item is not displayed. Tasks that are completed do not
display in the list.

Before You Begin

You are superuser.

If you plan to clone zones, you have completed the preparation for
cloning zones. If you plan to use your own security templates, you have
created the templates.

Open a terminal window in the global zone.

Run the txzonemgr script.

# /usr/sbin/txzonemgr

The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts
you for the appropriate tasks, depending on the current state of your installation.

To perform a task, you select the menu item, then press the Return
key or click OK. When you are prompted for text, type the text
then press the Return key or click OK.

Configure the Network Interfaces in Trusted Extensions

Note - If you are configuring your system to use DHCP or to prevent
networks from contacting the global zone, refer to the laptop instructions in the
Trusted Extensions section of OpenSolaris Community: Security web page.

In this task, you configure the networking in the global zone. You
must create exactly one all-zones interface. An all-zones interface is shared by the
labeled zones and the global zone. The shared interface is used to route
traffic between the labeled zones and the global zone. To configure this interface,
do one of the following:

Create a logical interface from a physical interface, then share the physical interface.

This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.

Share a physical interface

Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.

Share a virtual network interface, vni0

Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.

In this configuration, the host's IP address applies to all zones. Therefore, the
host's address is the all-zones address. This host cannot be used as a
multilevel server. For example, users cannot share files from this system. The system
cannot be an LDAP proxy server, an NFS home directory server, or a
print server.

Select Share and click OK.

At the prompt, accept the host name.

Dismiss the dialog box that displays the netmask.

eri0 all-zones 10.10.9.8 cipso Up

Skip the next step.

You are successful when the physical interface is an all-zones interface.

On a system with two IP addresses, create a logical interface.

Then, share the physical interface.

This is the simplest Trusted Extensions network configuration. In this configuration, the main
IP address can be used by other systems to reach any zone
on this system, and the logical interface is zone-specific to the global zone.
The global zone can be used as a multilevel server.

Select Create Logical Interface and click OK.

Dismiss the dialog box that confirms the creation of a new logical interface.

Select Set IP address and click OK.

At the prompt, specify the host name for the logical interface and click
OK.

For example, specify machine1-services as the host name for the logical interface. The
name indicates that this host offers multilevel services.

At the prompt, specify the IP address for the logical interface and click
OK.

For example, specify 10.10.9.2 as the IP address for the logical interface.

Select the logical interface again and click OK.

Select Bring Up and click OK.

The interface is displayed as Up.

eri0 global 10.10.9.1 cipso Up
eri0:1 global 10.10.9.2 cipso Up

Share the physical interface.

Select the physical interface and click OK.

Select Share and click OK.

eri0 all-zones 10.10.9.1 cipso Up
eri0:1 global 10.10.9.2 cipso Up

You are successful when at least one interface is an all-zones interface.

Example 4-2 Viewing the /etc/hosts File on a System With a Shared Logical Interface

On a system where the global zone has a unique interface and
labeled zones share a second interface with the global zone, the /etc/hosts file appears
similar to the following:

The administrator also examines the contents of the /etc/hostname.hme0 file:

192.168.0.11 all-zones

Name and Label the Zone

You do not have to create a zone for every label in
your label_encodings file, but you can. The administrative GUIs enumerate the labels that
can have zones created for them on this system.

Before You Begin

You are superuser in the global zone. The Labeled Zone Manager dialog box
is displayed. To open this GUI, see Run the txzonemgr Script. You have configured the
network interfaces in the global zone.

You have created any security templates that you need. A security template defines,
among other attributes, the label range that can be assigned to a network
interface. The default security templates might satisfy your needs.

Although you could create one zone per label, consider creating the following zones:

On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.

On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.

Do not create a zone for the MAX LABEL label, which is defined to be a clearance.

Click OK.

The dialog box displays zone-name:configured above a list of tasks.

To label the zone, choose one of the following:

If you are using a customized label_encodings file, label the zone by using
the Trusted Network Zones tool.

Open the Trusted Network Zones tool in the Solaris Management Console.

Start the Solaris Management Console.

# /usr/sbin/smc &

Open the Trusted Extensions toolbox for the local system.

Choose Console → Open Toolbox.

Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).

Click Open.

Under System Configuration, navigate to Computers and Networks.

Provide a password when prompted.

Double-click the Trusted Network Zones tool.

For each zone, associate the appropriate label with the zone name.

Choose Action → Add Zone Configuration.

The dialog box displays the name of a zone that does not have
an assigned label.

Look at the zone name, then click Edit.

In the Label Builder, click the appropriate label for the zone name.

If you click the wrong label, click the label again to deselect it,
then click the correct label.

You are finished when every zone that you want is listed in
the panel, or the Add Zone Configuration menu item opens a dialog box
that does not have a value for Zone Name.

If you are using the default label_encodings file, use the Labeled Zone Manager.

Click Select Label menu item and OK to display the list of available
labels.

Select the label for the zone.

For a zone that is named public, you would select the label PUBLIC
from the list.

Click OK.

A list of tasks is displayed.

Install the Labeled Zone

Before You Begin

You are superuser in the global zone. The zone is installed, and
has an assigned a network interface.

The Labeled Zone Manager dialog box is displayed with the subtitle zone-name:configured.
To open this GUI, see Run the txzonemgr Script.

From the Labeled Zone Manager, select Install and click OK.

Caution - This process takes some time to finish. Do not perform other tasks while
this task is completing.

The system copies packages from the global zone to the non-global zone. This
task installs a labeled virtual operating system in the zone. To continue the
example, this task installs the public zone. The GUI displays output similar to
the following.

Troubleshooting

Sometimes, error messages are displayed and the zone does not reboot. In the
Zone Terminal Console, press the Return key. If you are prompted to type
y to reboot, type y and press the Return key. The zone reboots.

Next Steps

Verify the Status of the Zone

Note - The X server runs in the global zone. Each labeled zone must
be able to connect with the global zone to use the X server.
Therefore, zone networking must work before a zone can be used. For background
information, see Planning for Multilevel Access.

Verify that the zone has been completely started.

In the zone-name: Zone Terminal Console, log in as root.

hostname console login: root
Password: Type root password

In the Zone Terminal Console, verify that critical services are running.

Customize the Labeled Zone

If you are going to clone zones or copy zones, this procedure
configures a zone to be a template for other zones. In addition, this
procedure configures a zone that has not been created from a template for
use.

Before You Begin

In the Zone Terminal Console, disable services that are unnecessary in a labeled
zone.

If you are copying or cloning this zone, the services that you disable
are disabled in the new zones. The services that are online on your
system depend on the service manifest for the zone. Use the netservices limited command
to turn off services that labeled zones do not need.